US20080263197A1 - Passively attributing anonymous network events to their associated users - Google Patents
Passively attributing anonymous network events to their associated usersDownload PDFInfo
- Publication number
- US20080263197A1 US20080263197A1US11/790,037US79003707AUS2008263197A1US 20080263197 A1US20080263197 A1US 20080263197A1US 79003707 AUS79003707 AUS 79003707AUS 2008263197 A1US2008263197 A1US 2008263197A1
- Authority
- US
- United States
- Prior art keywords
- event
- attribution
- user
- filtered
- anonymous
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034methodMethods0.000claimsabstractdescription71
- 238000001914filtrationMethods0.000claimsabstractdescription21
- 238000004590computer programMethods0.000claimsabstractdescription13
- 238000013459approachMethods0.000abstractdescription6
- 230000006870functionEffects0.000description30
- 230000008901benefitEffects0.000description6
- 238000001514detection methodMethods0.000description6
- 238000004891communicationMethods0.000description5
- 238000004374forensic analysisMethods0.000description4
- 238000007726management methodMethods0.000description4
- 230000000694effectsEffects0.000description3
- 238000012545processingMethods0.000description3
- 230000000295complement effectEffects0.000description2
- 238000012544monitoring processMethods0.000description2
- 230000003287optical effectEffects0.000description2
- 230000006399behaviorEffects0.000description1
- 238000013500data storageMethods0.000description1
- 238000004519manufacturing processMethods0.000description1
- 238000013507mappingMethods0.000description1
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0622—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on time
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the present inventionrelates generally to computer networks, and more particularly to insider threat detection in computer networks.
- IP addressescannot be statically mapped to users within most internal corporate local area networks (LANs).
- LANslocal area networks
- DHCPDynamic Host Configuration Protocol
- DHCPDynamic Host Configuration Protocol
- many organizationstake advantage of Microsoft Windows Roaming Profiles to permit their mobile users to effectively operate from any workstation. Mapping IP addresses to users is particularly important for insider threat detection, which requires knowledge of the user behind the observed behavior.
- Passive fingerprintingallows the identification of the host operating system by observing the TCP/IP protocol and welcome banners associated with well known services (e.g., telnet). More recently, passive fingerprinting has allowed detection of applications running on a host by detecting and analyzing network protocols in use. However, passive fingerprinting does not allow the passive attribution of anonymous network events to their associated users.
- Embodiments of the present inventioninclude filtering network events occurring over a pre-determined time interval to generate a filtered event list. Filtering of the events may be done according to one or more parameters. Based on the filtered event list and the event attribution approach, anonymous network events are attributed to users associated with events in the filtered event list.
- event attributionincludes attributing an anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event.
- the nearest-neighbor eventmay be determined based on time proximity or distance relative to the anonymous event.
- event attributionincludes attributing an anonymous network event to a user associated with an event in the filtered event list, wherein that user maximizes an event attribution function.
- event attributionincludes determining a first potential attribution user for an anonymous network event based on a nearest-neighbor attribution approach; determining a second potential attribution user for the anonymous network event based on an event attribution function approach; and comparing the first and second potential attribution users to determine the attribution of the anonymous event.
- Embodiments of the present inventioncan be performed off-line or in real-time.
- Embodiments of the present inventioncan be used, for example, by organizations to complement network intrusion detection systems (NIDSs), network forensic analysis tools (NFATs), and security information management systems (SIMSs).
- NIDSsnetwork intrusion detection systems
- NFATsnetwork forensic analysis tools
- SIMSssecurity information management systems
- NIDSscan only monitor network activity by IP address and would thus benefit from methods according to embodiments of the present invention to increase their monitoring capabilities.
- network forensic analysis toolsthat analyze system network packets and security information management systems that analyze events from security devices would benefit from methods according to the present invention.
- FIG. 1is an example that illustrates a method for passively attributing anonymous network events to users according to an embodiment of the present invention.
- FIG. 2is an example that illustrates another embodiment of the method of FIG. 1 .
- FIG. 3is a process flowchart of the methods of FIGS. 1 and 2 .
- FIG. 4is an example that illustrates another method for passively attributing anonymous network events to users according to an embodiment of the present invention.
- FIG. 5is a process flowchart of the method of FIG. 4 .
- FIG. 6is a process flowchart of another method for passively attributing anonymous network events to users according to the present invention.
- FIG. 7illustrates an example computer useful for implementing components of the invention.
- FIG. 1is an example 100 that illustrates a method for passively attributing anonymous network events to users, according to an embodiment of the present invention.
- Table 101includes a list of network events that occurred over a pre-determined time interval over a network. Associated with each event in table 101 are an event type, a user, an attribution type, an Internet Protocol (IP) address, and a timestamp.
- IPInternet Protocol
- the event typerepresents an action performed by the event.
- event 107is associated with an action to send an email over the network.
- the userrepresents an identity of a network user who is thought to have performed the event.
- an eventis associated with a user with a given degree of certainty.
- thisis described by the attribution type of the event, which represents a level of confidence between the event and its associated user.
- eventsmay be directly attributed, indirectly attributed, or un-attributed.
- Directly attributed eventsare attributed with high confidence to their associated users. For example, an event can be directly attributed to a user if it occurs within a network protocol session that is preceded by a successful user authentication. Indirectly attributed events are attributed with less confidence to their associated users but with enough confidence to be attributed.
- an eventcan be indirectly attributed to a user by using certain indicators that suggest some confidence that the user performed the event.
- un-attributed eventslack user attribution.
- eventsmay be either attributed or unattributed.
- each eventmay be associated with a user with a confidence level between 0 and 1. The confidence level is compared to a pre-defined threshold to determine whether the event is attributed or unattributed.
- the IP address associated with an eventrepresents the IP address where the event originated or is performed.
- the timestamprepresents the time of occurrence of the event.
- events that are not directly attributedundergo a process by which they become directly attributed to a user.
- the attribution processusually labels the events with the identity of the same users to which the events were indirectly attributed.
- Event attributionis described below with respect to an un-attributed event, though the same method is applicable to indirectly attributed events.
- the method illustrated in example 100seeks to attribute event 106 , which is an un-attributed “search query”, to a network user. Accordingly, the pre-determined time interval spanned by the events in table 101 is set according to the timestamp associated with event 106 . For example, the time interval is set so that it is centered around the timestamp associated with event 106 . It is noted that, for ease of illustration, only nine events 102 - 110 are shown in table 101 . In actual implementation, table 101 may include a larger number of events, which, for example, may span several hours of network time.
- the method in example 100works by filtering the list of events contained in table 101 to generate a filtered event list 111 .
- table 101is filtered according to IP address and attribution type so that only events with direct attribution and originating at the same IP address as event 106 are included in filtered event list 111 (in addition to event 106 ).
- events 104 , 105 , and 108are filtered out because they occur at a different IP address than where event 106 occurred.
- events 103 , 107 , and 109are filtered out because they are indirectly attributed to their associated users.
- filtered event list 111includes only two directly attributed events 102 and 110 that also occurred at the same IP address as event 106 .
- Event 102is directly attributed to User 1 .
- Event 110is directly attributed to User 2 .
- event 106may be attributed to either User 1 or User 2 .
- the methodattributes event 106 to the user associated with the nearest-neighbor event relative to event 106 .
- the nearest-neighbor event relative to event 106is determined by selecting the event in filtered event list 111 that is closest in time to event 106 . Accordingly, event 110 is the nearest-neighbor event relative to event 106 , and event 106 is attributed to User 2 . This is because event 110 is approximately 3 minutes apart from event 106 , while event 102 is approximately 14 minutes apart from event 106 .
- the nearest-neighbor event relative to event 106is determined by selecting the event in filtered event list 111 that is closest in distance, measured in event count, to event 106 . In example 100 , however, event 106 is equidistant from events 102 and 110 (three events apart in both cases) and time proximity would need to be used to resolve the nearest-neighbor determination.
- FIG. 2is an example 200 that illustrates another embodiment of the method of FIG. 1 . Similar to example 100 , the method in example 200 works by filtering the list of events in table 101 to generate a filtered event list 201 . Note that table 101 is only filtered by IP address to retain only those events occurring at the same IP address as event 106 . As such, filtered event list 201 contains both directly and indirectly attributed events (in addition to event 106 , which is sought to be attributed).
- the method of example 200also attributes event 106 to the user associated with the nearest-neighbor event relative to event 106 .
- the nearest-neighbor eventis determined by selecting the nearest event in distance to event 106 that is directly attributed, in a chronological ordering of the events in filtered event list 201 .
- the method of example 200considers the relative ordering of events in filtered event list 201 to determine the nearest-neighbor event relative to event 106 .
- the nearest-neighbor event relative to event 106is determined by selecting the event in filtered event list 201 that is closest in time to event 106 .
- each event in filtered event list 201is assigned a relative position denoted by an event number.
- the nearest-neighbor eventis then determined by comparing the positions of directly attributed events relative to the position of event 106 .
- event 102is assigned event number 1 and is separated from event 106 (event number 3 ) by a single event.
- event 110is assigned event number 6 and is separated from event 106 by two events. Accordingly, event 102 is closer in distance to event 106 than event 110 and is thus the nearest-neighbor event relative to event 106 .
- event 106is attributed to the same user, User 1 , as event 102 .
- examples 100 and 200result in different attribution of event 106 based on the approach used for nearest-neighbor event determination.
- the inventionis not limited to the example methods of FIGS. 1 and 2 . As would be understood, other variations of nearest-neighbor determination can be used.
- FIG. 3is a process flowchart 300 corresponding to the methods of FIGS. 1 and 2 .
- Process flowchart 300begins in step 302 , which includes filtering network events occurring over a pre-determined time interval according to IP address and/or event attribution type to generate a filtered event list. In an embodiment, other event characteristics can be used to filter network events in step 302 .
- the filteringincludes determining network events occurring within the pre-determined time interval that originate from the same IP address as the anonymous network event and/or that have direct and/or indirect attribution to associated users.
- Network eventscan be directly attributed, indirectly attributed, or un-attributed.
- a directly attributed eventis one that is attributed to a given user with high confidence. This may be due to a successful authentication event, for example, such as a login.
- An un-attributed eventis an anonymous event.
- Indirectly attributed eventsare those with some type of user context. For example, an “email send” event with the sender's email address in the email can be an indirectly attributed event.
- the pre-determined time intervalis selected according to a timestamp associated with the anonymous network event.
- the time intervalis centered around the timestamp associated with the anonymous event.
- the width of the time intervalmay be a function of the rate of occurrence of network events.
- Step 304includes attributing the anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event in the filtered event list.
- step 304includes attributing the anonymous network event to a user associated with an event in the filtered event list having direct attribution and that is nearest in distance to the anonymous network event in a chronological ordering of the filtered event list. Attribution according to this embodiment is illustrated, for example, in FIG. 2 .
- step 304includes attributing the anonymous network event to a user associated with an event in the filtered event list having direct attribution and that is nearest in time to the anonymous network event. Attribution according to this embodiment is illustrated, for example, in FIG. 1 .
- eventsare attributed to users through user identifiers that are associated with the users.
- the user “John Smith”may have an account userid of “jsmith” that is used to attribute events performed by the userid to the actual user.
- emails sent from the email account “john.smith@some.company”are also events by the same user “John Smith”. It is important that these events are attributed to the same user identity and not be identified as performed by different users.
- the different user identifierse.g., jsmith, john.smith@some.company, etc.
- a common forme.g., jsmith
- FIG. 4is an example 400 that illustrates another method for passively attributing anonymous network events to users according to an embodiment of the present invention.
- the method in example 400works by filtering the list of events in table 101 to generate a filtered event list 401 .
- table 401is filtered, as in example 200 , by IP address to retain only those events occurring at the same IP address as event 106 .
- filtered event list 401contains both directly and indirectly attributed events (in addition to event 106 , which is sought to be attributed).
- the methodthen attributes event 106 to a user associated with an event in filtered event list 401 , where that user maximizes an event attribution function.
- the method of example 400determines which of User 1 or User 2 results in a higher value of an event attribution function and attributes event 106 to that user. In an embodiment, if both event attribution function values are lower than a given threshold, the event remains un-attributed.
- the event attribution function value for a given useris related to the events associated with that user in filtered event list 401 .
- the event attribution function valuemay be a function of certain characteristics of those events including event type, event attribution type, and/or event proximity to the event being attributed (event 106 in example 400 ).
- events 102 and 103are attributed to User 1 .
- events 107 , 109 , and 110are attributed to User 2 .
- Each of users User 1 and User 2has one directly attributed event associated with it, namely events 102 and 110 , respectively.
- the event attribution function valueis calculated for a given user as a sum of the form:
- Kis a kernel function
- e irepresents the event being attributed
- S (u)is the sequence of events associated with that given user in the filtered event list.
- the kernel function K(e i , e j )calculates a value for a given event e j with respect to event e i .
- the kernel functionfactors in the event type, the event attribution type, and the time proximity of event e j relative to event e i .
- the kernel functionmay be of the form:
- ⁇ jrepresents a weight associated with event e j according to event type and/or attribution type
- t jrepresents the time of occurrence of event e j
- t irepresents the time of occurrence of the anonymous event
- ⁇represents a width of the kernel function
- an event e jis assigned a weight ⁇ j of 1.0 if it is directly attributed and of 0.9 if it is indirectly attributed.
- the weightcorrelates with the confidence level associated with the attribution of the event. Accordingly, in example 400 , for ⁇ equal to 5 ⁇ 10 ⁇ 5 , the event attribution function value for User 1 and User 2 with respect to event 106 , calculated according to equation (1), would be approximately equal to 4.7 ⁇ 10 ⁇ 11 and 1.036, respectively. Event 106 is therefore attributed to User 2 .
- the weight of an indirectly attributed eventalso varies according to the event type.
- FIG. 5is a process flowchart 500 of the method of FIG. 4 .
- Process flowchart 500begins in step 502 , which includes filtering network events occurring over a pre-determined time interval according to one or more of IP address and event attribution type to generate a filtered event list.
- the filteringincludes determining network events occurring within the pre-determined time interval that originate from the same IP address as the anonymous network event and/or that have direct and/or indirect attribution to associated users. As described above, network events can be directly attributed, indirectly attributed, or un-attributed.
- the pre-determined time intervalis selected according to a timestamp associated with the anonymous network event.
- the time intervalis centered around the timestamp associated with the anonymous event.
- the width of the time intervalmay be a function of the rate of network events.
- Step 504includes attributing the anonymous network event to a user associated with an event in the filtered event list, wherein the user maximizes an event attribution function.
- step 504includes calculating, for each user associated with an event in the filtered event list, an event attribution function value; and selecting a user having the largest event attribution function value to associate with the anonymous network event.
- the event attribution function value, for each useris related to events associated with the user within the pre-determined time interval. Further, the event attribution function value may be related to one or more of the event type, event attribution type, and event time proximity relative to the anonymous network event of the events associated with the user within the pre-determined time interval.
- the event attribution function valueis calculated according to:
- e irepresents the anonymous network event
- S (u)represents a set of events associated with a given user in the filtered event list
- Krepresents a kernel function
- the kernel function Kis according to:
- ⁇ jrepresents a weight associated with an event according to event type and/or attribution type
- t jrepresents the time of occurrence of the event
- t irepresents the time of occurrence of the anonymous event
- ⁇represents a width of the kernel function
- Directly attributed eventsare assigned greater weight than indirectly attributed or un-attributed events.
- directly attributed eventsare assigned a weight of 1.0 and un-attributed events are assigned a weight of 0.0.
- Indirectly attributed eventsare assigned weights between 0 and 1 depending on event type. For example, indirectly attributed “print” events may be assigned a weight of 0.999, indirectly attributed “email send” events may be assigned a weight of 0.99, and “FTP” events may be assigned a weight of 0.9.
- FIG. 6is a process flowchart 600 of another method for passively attributing anonymous network events to users according to the present invention.
- Process flowchart 600begins in step 602 , which includes filtering network events occurring over a predetermined time interval according to IP address and/or event attribution type to generate a filtered event list.
- Step 604includes determining a first potential attribution user in the filtered event list, wherein the first potential attribution user is associated with a nearest-neighbor event relative to the anonymous network event in the filtered event list.
- step 604implements a method according to process flowchart 300 of FIG. 3 .
- Step 606includes determining a second potential attribution user in the filtered event list, wherein the second potential attribution user maximizes an event attribution function.
- step 606implements a method according to process flowchart 500 of FIG. 5 .
- Step 608includes attributing the anonymous network event to the first or second potential attribution user when the first and second potential attribution users are the same user. Alternatively, step 608 includes maintaining the anonymous network event un-attributed if the first and second potential attribution users are different or if the weight calculated for the un-attributed event using the event attribution function is less than a specified threshold.
- Embodiments of the present inventionsuch as methods according to process flowcharts 300 , 500 , and 600 , for example, can be performed off-line or in real-time.
- Embodiments of the present inventioncan be used by organizations to complement network-based intrusion detection systems (NIDSs), network forensic analysis tools (NFATs), and security information management systems (SIMSs).
- NIDSscan only monitor network activity by IP address and would thus benefit from methods according to the present invention to increase their monitoring capabilities.
- network forensic analysis toolsthat analyze system network packets and security information management systems that analyze events from security devices would benefit from methods according to the present invention. In both cases, knowing the identity of the user account associated with a given event helps provide analysts the information needed to effectively respond to the observed activity.
- system and components of the present invention described hereinare implemented using well known computers, such as computer 702 shown in FIG. 7 .
- the computer 702can be any commercially available and well known computer capable of performing the functions described herein, such as computers available from International Business Machines, Apple, Sun, HP, Dell, Compaq, Digital, Cray, etc.
- the computer 702includes one or more processors (also called central processing units, or CPUs), such as a processor 706 .
- the processor 706is connected to a communication bus 704 .
- the computer 702also includes a main or primary memory 708 , such as random access memory (RAM).
- the primary memory 708has stored therein control logic 728 A (computer software), and data.
- the computer 702also includes one or more secondary storage devices 710 .
- the secondary storage devices 710include, for example, a hard disk drive 712 and/or a removable storage device or drive 714 , as well as other types of storage devices, such as memory cards and memory sticks.
- the removable storage drive 714represents a floppy disk drive, a magnetic tape drive, a compact disk drive, an optical storage device, tape backup, etc.
- the removable storage drive 714interacts with a removable storage unit 716 .
- the removable storage unit 716includes a computer useable or readable storage medium 724 having stored therein computer software 728 B (control logic) and/or data.
- Removable storage unit 716represents a floppy disk, magnetic tape, compact disk, DVD, optical storage disk, or any other computer data storage device.
- the removable storage drive 714reads from and/or writes to the removable storage unit 716 in a well known manner.
- the computer 702also includes input/output/display devices 722 , such as monitors, keyboards, pointing devices, etc.
- the computer 702further includes a communication or network interface 718 .
- the network interface 718enables the computer 702 to communicate with remote devices.
- the network interface 718allows the computer 702 to communicate over communication networks or mediums 724 B (representing a form of a computer useable or readable medium), such as LANs, WANs, the Internet, etc.
- the network interface 718may interface with remote sites or networks via wired or wireless connections.
- Control logic 728 Cmay be transmitted to and from the computer 702 via the communication medium 724 B. More particularly, the computer 702 may receive and transmit carrier waves (electromagnetic signals) modulated with control logic 730 via the communication medium 724 B.
- carrier waveselectromagtic signals
- Any apparatus or manufacture comprising a computer useable or readable medium having control logic (software) stored thereinis referred to herein as a computer program product or program storage device.
- the inventioncan work with software, hardware, and/or operating system implementations other than those described herein. Any software, hardware, and operating system implementations suitable for performing the functions described herein can be used.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- 1. Field of the Invention
- The present invention relates generally to computer networks, and more particularly to insider threat detection in computer networks.
- 2. Background Art
- In many situations, network and security analysts need to map observed network events to the users that generated them. However, many events produced by devices such as network-based intrusion detection systems (NIDSs) and firewalls only identify the source of the event as an Internet Protocol (IP) address of the originating host. Unfortunately, IP addresses cannot be statically mapped to users within most internal corporate local area networks (LANs). The commonly used Dynamic Host Configuration Protocol (DHCP) dynamically leases IP addresses to hosts on a first-come, first-served basis and for limited durations. In addition, many organizations take advantage of Microsoft Windows Roaming Profiles to permit their mobile users to effectively operate from any workstation. Mapping IP addresses to users is particularly important for insider threat detection, which requires knowledge of the user behind the observed behavior.
- Passive fingerprinting allows the identification of the host operating system by observing the TCP/IP protocol and welcome banners associated with well known services (e.g., telnet). More recently, passive fingerprinting has allowed detection of applications running on a host by detecting and analyzing network protocols in use. However, passive fingerprinting does not allow the passive attribution of anonymous network events to their associated users.
- What are needed therefore are methods for passively attributing anonymous network events to their associated users.
- Systems, methods, and computer program products for passively attributing anonymous network events to their associated users are provided herein.
- Embodiments of the present invention include filtering network events occurring over a pre-determined time interval to generate a filtered event list. Filtering of the events may be done according to one or more parameters. Based on the filtered event list and the event attribution approach, anonymous network events are attributed to users associated with events in the filtered event list.
- In an embodiment, event attribution includes attributing an anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event. The nearest-neighbor event may be determined based on time proximity or distance relative to the anonymous event.
- In another embodiment, event attribution includes attributing an anonymous network event to a user associated with an event in the filtered event list, wherein that user maximizes an event attribution function.
- In a further embodiment, event attribution includes determining a first potential attribution user for an anonymous network event based on a nearest-neighbor attribution approach; determining a second potential attribution user for the anonymous network event based on an event attribution function approach; and comparing the first and second potential attribution users to determine the attribution of the anonymous event.
- Embodiments of the present invention can be performed off-line or in real-time.
- Embodiments of the present invention can be used, for example, by organizations to complement network intrusion detection systems (NIDSs), network forensic analysis tools (NFATs), and security information management systems (SIMSs). As noted above, NIDSs can only monitor network activity by IP address and would thus benefit from methods according to embodiments of the present invention to increase their monitoring capabilities. Similarly, network forensic analysis tools that analyze system network packets and security information management systems that analyze events from security devices would benefit from methods according to the present invention.
- Further embodiments, features, and advantages of the present invention, as well as the structure and operation of the various embodiments of the present invention, are described in detail below with reference to the accompanying drawings.
- The accompanying drawings, which are incorporated herein and form a part of the specification, illustrate the present invention and, together with the description, further serve to explain the principles of the invention and to enable a person skilled in the pertinent art to make and use the invention.
FIG. 1 is an example that illustrates a method for passively attributing anonymous network events to users according to an embodiment of the present invention.FIG. 2 is an example that illustrates another embodiment of the method ofFIG. 1 .FIG. 3 is a process flowchart of the methods ofFIGS. 1 and 2 .FIG. 4 is an example that illustrates another method for passively attributing anonymous network events to users according to an embodiment of the present invention.FIG. 5 is a process flowchart of the method ofFIG. 4 .FIG. 6 is a process flowchart of another method for passively attributing anonymous network events to users according to the present invention.FIG. 7 illustrates an example computer useful for implementing components of the invention.- The present invention will be described with reference to the accompanying drawings. Generally, the drawing in which an element first appears is typically indicated by the leftmost digit(s) in the corresponding reference number.
FIG. 1 is an example100 that illustrates a method for passively attributing anonymous network events to users, according to an embodiment of the present invention.- Table101 includes a list of network events that occurred over a pre-determined time interval over a network. Associated with each event in table101 are an event type, a user, an attribution type, an Internet Protocol (IP) address, and a timestamp.
- The event type represents an action performed by the event. For example,
event 107 is associated with an action to send an email over the network. - The user represents an identity of a network user who is thought to have performed the event. Typically, an event is associated with a user with a given degree of certainty. In table101, this is described by the attribution type of the event, which represents a level of confidence between the event and its associated user. In example100, events may be directly attributed, indirectly attributed, or un-attributed. Directly attributed events are attributed with high confidence to their associated users. For example, an event can be directly attributed to a user if it occurs within a network protocol session that is preceded by a successful user authentication. Indirectly attributed events are attributed with less confidence to their associated users but with enough confidence to be attributed. For example, an event can be indirectly attributed to a user by using certain indicators that suggest some confidence that the user performed the event. On the other hand, un-attributed events lack user attribution. Alternatively, events may be either attributed or unattributed. In such embodiment, each event may be associated with a user with a confidence level between 0 and 1. The confidence level is compared to a pre-defined threshold to determine whether the event is attributed or unattributed.
- Referring back to table101, the IP address associated with an event represents the IP address where the event originated or is performed. The timestamp represents the time of occurrence of the event.
- According to an embodiment of the present invention, events that are not directly attributed undergo a process by which they become directly attributed to a user. In the case of indirectly attributed events, the attribution process usually labels the events with the identity of the same users to which the events were indirectly attributed. Event attribution is described below with respect to an un-attributed event, though the same method is applicable to indirectly attributed events.
- The method illustrated in example100 seeks to attribute
event 106, which is an un-attributed “search query”, to a network user. Accordingly, the pre-determined time interval spanned by the events in table101 is set according to the timestamp associated withevent 106. For example, the time interval is set so that it is centered around the timestamp associated withevent 106. It is noted that, for ease of illustration, only nine events102-110 are shown in table101. In actual implementation, table101 may include a larger number of events, which, for example, may span several hours of network time. - The method in example100 works by filtering the list of events contained in table101 to generate a filtered
event list 111. In the embodiment of example100, table101 is filtered according to IP address and attribution type so that only events with direct attribution and originating at the same IP address asevent 106 are included in filtered event list111 (in addition to event106). Note, for example, thatevents event 106 occurred. Similarly,events - According to example100, filtered
event list 111 includes only two directly attributedevents event 106.Event 102 is directly attributed to User1.Event 110 is directly attributed to User2. As such,event 106 may be attributed to either User1 or User2. In an embodiment, the method attributesevent 106 to the user associated with the nearest-neighbor event relative toevent 106. - In example100, the nearest-neighbor event relative to
event 106 is determined by selecting the event in filteredevent list 111 that is closest in time toevent 106. Accordingly,event 110 is the nearest-neighbor event relative toevent 106, andevent 106 is attributed to User2. This is becauseevent 110 is approximately 3 minutes apart fromevent 106, whileevent 102 is approximately 14 minutes apart fromevent 106. Alternatively, the nearest-neighbor event relative toevent 106 is determined by selecting the event in filteredevent list 111 that is closest in distance, measured in event count, toevent 106. In example100, however,event 106 is equidistant fromevents 102 and110 (three events apart in both cases) and time proximity would need to be used to resolve the nearest-neighbor determination. FIG. 2 is an example200 that illustrates another embodiment of the method ofFIG. 1 . Similar to example100, the method in example200 works by filtering the list of events in table101 to generate a filteredevent list 201. Note that table101 is only filtered by IP address to retain only those events occurring at the same IP address asevent 106. As such, filteredevent list 201 contains both directly and indirectly attributed events (in addition toevent 106, which is sought to be attributed).- The method of example200 also attributes
event 106 to the user associated with the nearest-neighbor event relative toevent 106. However, in example200, the nearest-neighbor event is determined by selecting the nearest event in distance toevent 106 that is directly attributed, in a chronological ordering of the events in filteredevent list 201. In other words, the method of example200 considers the relative ordering of events in filteredevent list 201 to determine the nearest-neighbor event relative toevent 106. Alternatively, the nearest-neighbor event relative toevent 106 is determined by selecting the event in filteredevent list 201 that is closest in time toevent 106. - As illustrated in
FIG. 2 , each event in filteredevent list 201 is assigned a relative position denoted by an event number. The nearest-neighbor event is then determined by comparing the positions of directly attributed events relative to the position ofevent 106. In example200, onlyevents Event 102 is assignedevent number 1 and is separated from event106 (event number3) by a single event. On the other hand,event 110 is assignedevent number 6 and is separated fromevent 106 by two events. Accordingly,event 102 is closer in distance toevent 106 thanevent 110 and is thus the nearest-neighbor event relative toevent 106. As such, in example200,event 106 is attributed to the same user, User1, asevent 102. - In cases where the event being attributed is at an equal distance from the two nearest directly attributed events, other nearest-neighbor determination methods including time proximity can be used.
- Note that examples100 and200 result in different attribution of
event 106 based on the approach used for nearest-neighbor event determination. The invention is not limited to the example methods ofFIGS. 1 and 2 . As would be understood, other variations of nearest-neighbor determination can be used. FIG. 3 is aprocess flowchart 300 corresponding to the methods ofFIGS. 1 and 2 .Process flowchart 300 begins instep 302, which includes filtering network events occurring over a pre-determined time interval according to IP address and/or event attribution type to generate a filtered event list. In an embodiment, other event characteristics can be used to filter network events instep 302.- In an embodiment, the filtering includes determining network events occurring within the pre-determined time interval that originate from the same IP address as the anonymous network event and/or that have direct and/or indirect attribution to associated users. Network events can be directly attributed, indirectly attributed, or un-attributed. As described above, a directly attributed event is one that is attributed to a given user with high confidence. This may be due to a successful authentication event, for example, such as a login. An un-attributed event is an anonymous event. Indirectly attributed events are those with some type of user context. For example, an “email send” event with the sender's email address in the email can be an indirectly attributed event.
- The pre-determined time interval is selected according to a timestamp associated with the anonymous network event. In an embodiment, the time interval is centered around the timestamp associated with the anonymous event. The width of the time interval may be a function of the rate of occurrence of network events.
- Step304 includes attributing the anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event in the filtered event list.
- In an embodiment,
step 304 includes attributing the anonymous network event to a user associated with an event in the filtered event list having direct attribution and that is nearest in distance to the anonymous network event in a chronological ordering of the filtered event list. Attribution according to this embodiment is illustrated, for example, inFIG. 2 . - In another embodiment,
step 304 includes attributing the anonymous network event to a user associated with an event in the filtered event list having direct attribution and that is nearest in time to the anonymous network event. Attribution according to this embodiment is illustrated, for example, inFIG. 1 . - In practice, events are attributed to users through user identifiers that are associated with the users. For example, the user “John Smith” may have an account userid of “jsmith” that is used to attribute events performed by the userid to the actual user. At the same time, emails sent from the email account “john.smith@some.company” are also events by the same user “John Smith”. It is important that these events are attributed to the same user identity and not be identified as performed by different users. In an embodiment, the different user identifiers (e.g., jsmith, john.smith@some.company, etc.) are normalized to a common form (e.g., jsmith) through the use of a lookup table that maps all the different identifiers associated with a user to this common form.
FIG. 4 is an example400 that illustrates another method for passively attributing anonymous network events to users according to an embodiment of the present invention.- The method in example400 works by filtering the list of events in table101 to generate a filtered
event list 401. Note that table401 is filtered, as in example200, by IP address to retain only those events occurring at the same IP address asevent 106. As such, filteredevent list 401 contains both directly and indirectly attributed events (in addition toevent 106, which is sought to be attributed). - The method then attributes
event 106 to a user associated with an event in filteredevent list 401, where that user maximizes an event attribution function. In example400, there are only two distinct users, User1 and User2, that are associated with events in filteredevent list 401. As such, the method of example400 determines which of User1 or User2 results in a higher value of an event attribution function and attributesevent 106 to that user. In an embodiment, if both event attribution function values are lower than a given threshold, the event remains un-attributed. - In an embodiment, the event attribution function value for a given user is related to the events associated with that user in filtered
event list 401. For example, the event attribution function value may be a function of certain characteristics of those events including event type, event attribution type, and/or event proximity to the event being attributed (event 106 in example400). - In example400,
events events events
Σej εS(u) K(ei, ej) (1)- where K is a kernel function, eirepresents the event being attributed, and S(u)is the sequence of events associated with that given user in the filtered event list.
- The kernel function K(ei, ej) calculates a value for a given event ejwith respect to event ei. In an embodiment, the kernel function factors in the event type, the event attribution type, and the time proximity of event ejrelative to event ei. For example, the kernel function may be of the form:
K(ei, ej)=ωje−γ(ti −tj )2 (2)- wherein ωjrepresents a weight associated with event ejaccording to event type and/or attribution type, tjrepresents the time of occurrence of event ej, tirepresents the time of occurrence of the anonymous event, and γ represents a width of the kernel function.
- In an example implementation, an event ejis assigned a weight ωjof 1.0 if it is directly attributed and of 0.9 if it is indirectly attributed. The weight correlates with the confidence level associated with the attribution of the event. Accordingly, in example400, for γ equal to 5×10−5, the event attribution function value for User1 and User2 with respect to
event 106, calculated according to equation (1), would be approximately equal to 4.7×10−11and 1.036, respectively.Event 106 is therefore attributed to User2. In another implementation, the weight of an indirectly attributed event also varies according to the event type. FIG. 5 is aprocess flowchart 500 of the method ofFIG. 4 .Process flowchart 500 begins instep 502, which includes filtering network events occurring over a pre-determined time interval according to one or more of IP address and event attribution type to generate a filtered event list.- In an embodiment, the filtering includes determining network events occurring within the pre-determined time interval that originate from the same IP address as the anonymous network event and/or that have direct and/or indirect attribution to associated users. As described above, network events can be directly attributed, indirectly attributed, or un-attributed.
- The pre-determined time interval is selected according to a timestamp associated with the anonymous network event. In an embodiment, the time interval is centered around the timestamp associated with the anonymous event. The width of the time interval may be a function of the rate of network events.
- Step504 includes attributing the anonymous network event to a user associated with an event in the filtered event list, wherein the user maximizes an event attribution function.
- In an embodiment,
step 504 includes calculating, for each user associated with an event in the filtered event list, an event attribution function value; and selecting a user having the largest event attribution function value to associate with the anonymous network event. In an embodiment, the event attribution function value, for each user, is related to events associated with the user within the pre-determined time interval. Further, the event attribution function value may be related to one or more of the event type, event attribution type, and event time proximity relative to the anonymous network event of the events associated with the user within the pre-determined time interval. - In an embodiment, the event attribution function value is calculated according to:
Σej εS(u) K(ei, ej) (3)- wherein eirepresents the anonymous network event, S(u)represents a set of events associated with a given user in the filtered event list, and K represents a kernel function.
- In an embodiment, the kernel function K is according to:
K(ei, ej)=ωje−γ(ti −tj )2 (4)- wherein ωj represents a weight associated with an event according to event type and/or attribution type, tjrepresents the time of occurrence of the event, tirepresents the time of occurrence of the anonymous event, and γ represents a width of the kernel function.
- Directly attributed events are assigned greater weight than indirectly attributed or un-attributed events. In an embodiment, directly attributed events are assigned a weight of 1.0 and un-attributed events are assigned a weight of 0.0. Indirectly attributed events are assigned weights between 0 and 1 depending on event type. For example, indirectly attributed “print” events may be assigned a weight of 0.999, indirectly attributed “email send” events may be assigned a weight of 0.99, and “FTP” events may be assigned a weight of 0.9.
FIG. 6 is aprocess flowchart 600 of another method for passively attributing anonymous network events to users according to the present invention.Process flowchart 600 begins instep 602, which includes filtering network events occurring over a predetermined time interval according to IP address and/or event attribution type to generate a filtered event list.- Step604 includes determining a first potential attribution user in the filtered event list, wherein the first potential attribution user is associated with a nearest-neighbor event relative to the anonymous network event in the filtered event list. In an embodiment, step604 implements a method according to
process flowchart 300 ofFIG. 3 . - Step606 includes determining a second potential attribution user in the filtered event list, wherein the second potential attribution user maximizes an event attribution function. In an embodiment, step606 implements a method according to
process flowchart 500 ofFIG. 5 . - Step608 includes attributing the anonymous network event to the first or second potential attribution user when the first and second potential attribution users are the same user. Alternatively,
step 608 includes maintaining the anonymous network event un-attributed if the first and second potential attribution users are different or if the weight calculated for the un-attributed event using the event attribution function is less than a specified threshold. - Embodiments of the present invention such as methods according to
process flowcharts - Embodiments of the present invention can be used by organizations to complement network-based intrusion detection systems (NIDSs), network forensic analysis tools (NFATs), and security information management systems (SIMSs). As noted above, NIDSs can only monitor network activity by IP address and would thus benefit from methods according to the present invention to increase their monitoring capabilities. Similarly, network forensic analysis tools that analyze system network packets and security information management systems that analyze events from security devices would benefit from methods according to the present invention. In both cases, knowing the identity of the user account associated with a given event helps provide analysts the information needed to effectively respond to the observed activity.
- In an embodiment of the present invention, the system and components of the present invention described herein are implemented using well known computers, such as
computer 702 shown inFIG. 7 . - The
computer 702 can be any commercially available and well known computer capable of performing the functions described herein, such as computers available from International Business Machines, Apple, Sun, HP, Dell, Compaq, Digital, Cray, etc. - The
computer 702 includes one or more processors (also called central processing units, or CPUs), such as aprocessor 706. Theprocessor 706 is connected to acommunication bus 704. - The
computer 702 also includes a main orprimary memory 708, such as random access memory (RAM). Theprimary memory 708 has stored therein controllogic 728A (computer software), and data. - The
computer 702 also includes one or moresecondary storage devices 710. Thesecondary storage devices 710 include, for example, ahard disk drive 712 and/or a removable storage device or drive714, as well as other types of storage devices, such as memory cards and memory sticks. Theremovable storage drive 714 represents a floppy disk drive, a magnetic tape drive, a compact disk drive, an optical storage device, tape backup, etc. - The
removable storage drive 714 interacts with aremovable storage unit 716. Theremovable storage unit 716 includes a computer useable or readable storage medium724 having stored thereincomputer software 728B (control logic) and/or data.Removable storage unit 716 represents a floppy disk, magnetic tape, compact disk, DVD, optical storage disk, or any other computer data storage device. Theremovable storage drive 714 reads from and/or writes to theremovable storage unit 716 in a well known manner. - The
computer 702 also includes input/output/display devices 722, such as monitors, keyboards, pointing devices, etc. - The
computer 702 further includes a communication ornetwork interface 718. Thenetwork interface 718 enables thecomputer 702 to communicate with remote devices. For example, thenetwork interface 718 allows thecomputer 702 to communicate over communication networks or mediums724B (representing a form of a computer useable or readable medium), such as LANs, WANs, the Internet, etc. Thenetwork interface 718 may interface with remote sites or networks via wired or wireless connections. Control logic 728C may be transmitted to and from thecomputer 702 via the communication medium724B. More particularly, thecomputer 702 may receive and transmit carrier waves (electromagnetic signals) modulated withcontrol logic 730 via the communication medium724B.- Any apparatus or manufacture comprising a computer useable or readable medium having control logic (software) stored therein is referred to herein as a computer program product or program storage device. This includes, but is not limited to, the
computer 702, themain memory 708, thesecondary storage devices 710, theremovable storage unit 716 and the carrier waves modulated withcontrol logic 730. Such computer program products, having control logic stored therein that, when executed by one or more data processing devices, cause such data processing devices to operate as described herein, represent embodiments of the invention. - The invention can work with software, hardware, and/or operating system implementations other than those described herein. Any software, hardware, and operating system implementations suitable for performing the functions described herein can be used.
- While various embodiments of the present invention have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be apparent to persons skilled in the relevant art that various changes in form and detail can be made therein without departing from the spirit and scope of the invention. Thus, the breadth and scope of the present invention should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
Claims (25)
1. A method for passively attributing an anonymous network event to an associated user, comprising:
filtering network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list; and
attributing the anonymous network event to a user associated with an event in said filtered event list, wherein said user maximizes an event attribution function.
2. The method ofclaim 1 , wherein said pre-determined time interval is selected according to a timestamp associated with the anonymous network event.
3. The method ofclaim 1 , wherein said filtering step comprises determining network events originating from the same IP address as the anonymous network event.
4. The method ofclaim 1 , wherein said filtering step comprises determining network events having direct and/or indirect attribution to associated users.
5. The method ofclaim 1 , wherein said attributing step comprises:
calculating, for each user associated with an event in said filtered event list, an event attribution function value; and
selecting a user having the largest event attribution function value.
6. The method ofclaim 5 , wherein, for each user associated with an event in said filtered list, the event attribution function value is related to events associated with said each user within said pre-determined time interval.
7. The method ofclaim 6 , wherein the event attribution function value is related to one or more of event type, event attribution type, and event time proximity relative to the anonymous network event of said events associated with said each user.
8. The method ofclaim 5 , wherein the event attribution function value is calculated according to:
Σej εS(u) K(ei, ej)
Σe
wherein eirepresents the anonymous network event, S(u)represents a set of events associated with a given one of said each user, and K represents a kernel function.
9. The method ofclaim 8 , wherein the kernel function is according to:
K(ei, ej)=ωje−γ(ti −tj )2
K(ei, ej)=ωje−γ(t
wherein ωjrepresents a weight associated with an event according to event type and/or attribution type, γ represents a width of the kernel function, and tirepresents the time of occurrence of the anonymous event.
10. The method ofclaim 1 , wherein the event attribution type is one of direct attribution, indirect attribution, or unattributed.
11. A method for passively attributing an anonymous network event to an associated user, comprising:
filtering network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list; and
attributing the anonymous network event to a user associated with a nearest-neighbor event relative to said anonymous network event in said filtered event list.
12. The method ofclaim 11 , wherein said pre-determined time interval is selected according to a timestamp associated with the anonymous network event.
13. The method ofclaim 11 , wherein said filtering step comprises determining network events originating from the same IP address as the anonymous network event.
14. The method ofclaim 11 , wherein said filtering step comprises determining network events having direct and/or indirect attribution to associated users.
15. The method ofclaim 11 , wherein said attributing step comprises attributing the anonymous network event to a user associated with an event in said filtered event list, wherein said event has direct attribution and is nearest in distance to the anonymous network event in a chronological ordering of said filtered event list.
16. The method ofclaim 11 , wherein said attributing step comprises attributing the anonymous network event to a user associated with an event in said filtered event list, wherein said event has direct attribution and is nearest in time to the anonymous network event.
17. The method ofclaim 11 , wherein said attributing step comprises attributing the anonymous network event to a user associated with an event in said filtered event list, wherein said event has direct attribution and is nearest in distance to the anonymous network event based on an event count separating said event from the anonymous network event.
18. The method ofclaim 11 , wherein said attributing step comprises attributing the anonymous network event to a user associated with an event in said filtered event list, wherein said event is nearest in time to the anonymous network event.
19. The method ofclaim 1 , wherein the event attribution type is one of direct attribution, indirect attribution, or unattributed.
20. A method for passively attributing an anonymous network event to an associated user, comprising:
filtering network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list;
determining a first potential attribution user in said filtered event list, wherein said first potential attribution user is associated with a nearest-neighbor event relative to said anonymous event in said filtered event list;
determining a second potential attribution user in said filtered event list, wherein said second potential attribution user maximizes an event attribution function; and
attributing the anonymous network event to the first or second potential attribution user when said first and second potential attribution users are the same user.
21. The method ofclaim 20 , further comprising:
maintaining the anonymous network event unattributed if the first and second potential attribution users are different.
22. The method ofclaim 20 , wherein the method is performed off-line on in real-time.
23. A computer program product comprising a computer useable medium having computer program logic recorded thereon for enabling a processor to passively attribute an anonymous network event to an associated user, the computer program logic comprising:
filtering means for enabling a processor to filter network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list; and
attributing means for enabling a processor to attribute the anonymous network event to a user associated with an event in said filtered event list, wherein said user maximizes an event attribution function.
24. A computer program product comprising a computer useable medium having computer program logic recorded thereon for enabling a processor to passively attribute an anonymous network event to an associated user, the computer program logic comprising:
filtering means for enabling a processor to filter network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list; and
attributing means for enabling a processor to attribute the anonymous network event to a user associated with a nearest-neighbor event relative to said anonymous network event in said filtered event list.
25. A computer program product comprising a computer useable medium having computer program logic recorded thereon for enabling a processor to passively attribute an anonymous network event to an associated user, the computer program logic comprising:
filtering means for enabling a processor to filter network events occurring over a pre-determined time interval according to at least one of Internet Protocol (IP) address and event attribution type to generate a filtered event list;
first determining means for enabling a processor to determine a first potential attribution user in said filtered event list, wherein said first potential attribution user is associated with a nearest-neighbor event relative to said anonymous event in said filtered event list;
second determining means for enabling a processor to determine a second potential attribution user in said filtered event list, wherein said second potential attribution user maximizes an event attribution function; and
attributing means for enabling a processor to attribute the anonymous network event to the first or second potential attribution user when said first and second potential attribution users are the same user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/790,037US8996681B2 (en) | 2007-04-23 | 2007-04-23 | Passively attributing anonymous network events to their associated users |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/790,037US8996681B2 (en) | 2007-04-23 | 2007-04-23 | Passively attributing anonymous network events to their associated users |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| US20080263197A1true US20080263197A1 (en) | 2008-10-23 |
| US8996681B2 US8996681B2 (en) | 2015-03-31 |
Family
ID=39873347
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| US11/790,037Active2032-12-17US8996681B2 (en) | 2007-04-23 | 2007-04-23 | Passively attributing anonymous network events to their associated users |
Country Status (1)
| Country | Link |
|---|---|
| US (1) | US8996681B2 (en) |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848104A (en)* | 2010-03-17 | 2010-09-29 | 深圳市易聆科信息技术有限公司 | Recording method and device for network management system and computer equipment |
| US20110314143A1 (en)* | 2010-06-22 | 2011-12-22 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
| US8272055B2 (en) | 2008-10-08 | 2012-09-18 | Sourcefire, Inc. | Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system |
| US8289882B2 (en) | 2005-11-14 | 2012-10-16 | Sourcefire, Inc. | Systems and methods for modifying network map attributes |
| US8433790B2 (en) | 2010-06-11 | 2013-04-30 | Sourcefire, Inc. | System and method for assigning network blocks to sensors |
| US8474043B2 (en) | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
| US8578002B1 (en) | 2003-05-12 | 2013-11-05 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network and enforcing policy |
| US8601034B2 (en) | 2011-03-11 | 2013-12-03 | Sourcefire, Inc. | System and method for real time data awareness |
| US8677486B2 (en) | 2010-04-16 | 2014-03-18 | Sourcefire, Inc. | System and method for near-real time network attack detection, and system and method for unified detection via detection routing |
| US20190260777A1 (en)* | 2018-02-20 | 2019-08-22 | Citrix Systems, Inc. | Systems and methods for detecting and thwarting attacks on an it environment |
| US20210306355A1 (en)* | 2020-03-25 | 2021-09-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US20230224275A1 (en)* | 2022-01-12 | 2023-07-13 | Bank Of America Corporation | Preemptive threat detection for an information system |
| US11973798B2 (en) | 2020-03-25 | 2024-04-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12131294B2 (en) | 2012-06-21 | 2024-10-29 | Open Text Corporation | Activity stream based interaction |
| US12149623B2 (en) | 2018-02-23 | 2024-11-19 | Open Text Inc. | Security privilege escalation exploit detection and mitigation |
| US12155680B2 (en) | 2021-03-17 | 2024-11-26 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12164466B2 (en) | 2010-03-29 | 2024-12-10 | Open Text Inc. | Log file management |
| US12197383B2 (en) | 2015-06-30 | 2025-01-14 | Open Text Corporation | Method and system for using dynamic content types |
| US12235960B2 (en) | 2019-03-27 | 2025-02-25 | Open Text Inc. | Behavioral threat detection definition and compilation |
| US12261822B2 (en) | 2014-06-22 | 2025-03-25 | Open Text Inc. | Network threat prediction and blocking |
| US12282549B2 (en) | 2005-06-30 | 2025-04-22 | Open Text Inc. | Methods and apparatus for malware threat research |
| US12412413B2 (en) | 2015-05-08 | 2025-09-09 | Open Text Corporation | Image box filtering for optical character recognition |
| US12432243B2 (en) | 2020-03-25 | 2025-09-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12437068B2 (en) | 2015-05-12 | 2025-10-07 | Open Text Inc. | Automatic threat detection of executable files based on static data analysis |
Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5627764A (en)* | 1991-10-04 | 1997-05-06 | Banyan Systems, Inc. | Automatic electronic messaging system with feedback and work flow administration |
| US5983270A (en)* | 1997-03-11 | 1999-11-09 | Sequel Technology Corporation | Method and apparatus for managing internetwork and intranetwork activity |
| US6492944B1 (en)* | 1999-01-08 | 2002-12-10 | Trueposition, Inc. | Internal calibration method for receiver system of a wireless location system |
| US20030051026A1 (en)* | 2001-01-19 | 2003-03-13 | Carter Ernst B. | Network surveillance and security system |
| US6646604B2 (en)* | 1999-01-08 | 2003-11-11 | Trueposition, Inc. | Automatic synchronous tuning of narrowband receivers of a wireless location system for voice/traffic channel tracking |
| US6813645B1 (en)* | 2000-05-24 | 2004-11-02 | Hewlett-Packard Development Company, L.P. | System and method for determining a customer associated with a range of IP addresses by employing a configurable rule engine with IP address range matching |
| US20050044422A1 (en)* | 2002-11-07 | 2005-02-24 | Craig Cantrell | Active network defense system and method |
| US20050044406A1 (en)* | 2002-03-29 | 2005-02-24 | Michael Stute | Adaptive behavioral intrusion detection systems and methods |
| US20050071465A1 (en)* | 2003-09-30 | 2005-03-31 | Microsoft Corporation | Implicit links search enhancement system and method for search engines using implicit links generated by mining user access patterns |
| US6904387B2 (en)* | 2001-09-25 | 2005-06-07 | Siemens Aktiengesellschaft | Hmi device and method for operating a technical facility, automation system having hmi device, and computer program product having program for carrying out the method in an hmi device or automation system |
| US6928471B2 (en)* | 2001-05-07 | 2005-08-09 | Quest Software, Inc. | Method and apparatus for measurement, analysis, and optimization of content delivery |
| US20050188423A1 (en)* | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user behavior for a server application |
| US20060020814A1 (en)* | 2004-07-20 | 2006-01-26 | Reflectent Software, Inc. | End user risk management |
| US20060036720A1 (en)* | 2004-06-14 | 2006-02-16 | Faulk Robert L Jr | Rate limiting of events |
| US7031310B2 (en)* | 2000-12-21 | 2006-04-18 | Fujitsu Limited | Router and IP-packet-transferring method |
| US20060140182A1 (en)* | 2004-12-23 | 2006-06-29 | Michael Sullivan | Systems and methods for monitoring and controlling communication traffic |
| US7143439B2 (en)* | 2000-01-07 | 2006-11-28 | Security, Inc. | Efficient evaluation of rules |
| US7143152B1 (en)* | 2000-03-31 | 2006-11-28 | Verizon Laboratories Inc. | Graphical user interface and method for customer centric network management |
| US20060286993A1 (en)* | 2005-06-20 | 2006-12-21 | Motorola, Inc. | Throttling server communications in a communication network |
| US20070050719A1 (en)* | 1999-05-07 | 2007-03-01 | Philip Lui | System and method for dynamic assistance in software applications using behavior and host application models |
| US20070067780A1 (en)* | 2005-08-24 | 2007-03-22 | Samsung Electronics Co., Ltd. | Method and system for asynchronous eventing over the internet |
| US20080126547A1 (en)* | 2001-09-12 | 2008-05-29 | Vmware | Resource allocation in computers |
| US20090119062A1 (en)* | 2007-11-01 | 2009-05-07 | Timetracking Buddy Llc | Time Tracking Methods and Systems |
- 2007
- 2007-04-23USUS11/790,037patent/US8996681B2/enactiveActive
Patent Citations (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5627764A (en)* | 1991-10-04 | 1997-05-06 | Banyan Systems, Inc. | Automatic electronic messaging system with feedback and work flow administration |
| US5983270A (en)* | 1997-03-11 | 1999-11-09 | Sequel Technology Corporation | Method and apparatus for managing internetwork and intranetwork activity |
| US6646604B2 (en)* | 1999-01-08 | 2003-11-11 | Trueposition, Inc. | Automatic synchronous tuning of narrowband receivers of a wireless location system for voice/traffic channel tracking |
| US6492944B1 (en)* | 1999-01-08 | 2002-12-10 | Trueposition, Inc. | Internal calibration method for receiver system of a wireless location system |
| US20070050719A1 (en)* | 1999-05-07 | 2007-03-01 | Philip Lui | System and method for dynamic assistance in software applications using behavior and host application models |
| US7143439B2 (en)* | 2000-01-07 | 2006-11-28 | Security, Inc. | Efficient evaluation of rules |
| US7143152B1 (en)* | 2000-03-31 | 2006-11-28 | Verizon Laboratories Inc. | Graphical user interface and method for customer centric network management |
| US6813645B1 (en)* | 2000-05-24 | 2004-11-02 | Hewlett-Packard Development Company, L.P. | System and method for determining a customer associated with a range of IP addresses by employing a configurable rule engine with IP address range matching |
| US7031310B2 (en)* | 2000-12-21 | 2006-04-18 | Fujitsu Limited | Router and IP-packet-transferring method |
| US20030051026A1 (en)* | 2001-01-19 | 2003-03-13 | Carter Ernst B. | Network surveillance and security system |
| US6928471B2 (en)* | 2001-05-07 | 2005-08-09 | Quest Software, Inc. | Method and apparatus for measurement, analysis, and optimization of content delivery |
| US7539655B2 (en)* | 2001-05-07 | 2009-05-26 | Quest Software, Inc. | Method and apparatus for measurement, analysis, and optimization of content delivery |
| US20080126547A1 (en)* | 2001-09-12 | 2008-05-29 | Vmware | Resource allocation in computers |
| US6904387B2 (en)* | 2001-09-25 | 2005-06-07 | Siemens Aktiengesellschaft | Hmi device and method for operating a technical facility, automation system having hmi device, and computer program product having program for carrying out the method in an hmi device or automation system |
| US20050044406A1 (en)* | 2002-03-29 | 2005-02-24 | Michael Stute | Adaptive behavioral intrusion detection systems and methods |
| US20050044422A1 (en)* | 2002-11-07 | 2005-02-24 | Craig Cantrell | Active network defense system and method |
| US20050071465A1 (en)* | 2003-09-30 | 2005-03-31 | Microsoft Corporation | Implicit links search enhancement system and method for search engines using implicit links generated by mining user access patterns |
| US20050188423A1 (en)* | 2004-02-24 | 2005-08-25 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user behavior for a server application |
| US20060036720A1 (en)* | 2004-06-14 | 2006-02-16 | Faulk Robert L Jr | Rate limiting of events |
| US20060020814A1 (en)* | 2004-07-20 | 2006-01-26 | Reflectent Software, Inc. | End user risk management |
| US20060140182A1 (en)* | 2004-12-23 | 2006-06-29 | Michael Sullivan | Systems and methods for monitoring and controlling communication traffic |
| US20060286993A1 (en)* | 2005-06-20 | 2006-12-21 | Motorola, Inc. | Throttling server communications in a communication network |
| US20070067780A1 (en)* | 2005-08-24 | 2007-03-22 | Samsung Electronics Co., Ltd. | Method and system for asynchronous eventing over the internet |
| US20090119062A1 (en)* | 2007-11-01 | 2009-05-07 | Timetracking Buddy Llc | Time Tracking Methods and Systems |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578002B1 (en) | 2003-05-12 | 2013-11-05 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network and enforcing policy |
| US12282549B2 (en) | 2005-06-30 | 2025-04-22 | Open Text Inc. | Methods and apparatus for malware threat research |
| US8289882B2 (en) | 2005-11-14 | 2012-10-16 | Sourcefire, Inc. | Systems and methods for modifying network map attributes |
| US8474043B2 (en) | 2008-04-17 | 2013-06-25 | Sourcefire, Inc. | Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing |
| US9450975B2 (en) | 2008-10-08 | 2016-09-20 | Cisco Technology, Inc. | Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system |
| US8272055B2 (en) | 2008-10-08 | 2012-09-18 | Sourcefire, Inc. | Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system |
| US9055094B2 (en) | 2008-10-08 | 2015-06-09 | Cisco Technology, Inc. | Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system |
| CN101848104A (en)* | 2010-03-17 | 2010-09-29 | 深圳市易聆科信息技术有限公司 | Recording method and device for network management system and computer equipment |
| US12210479B2 (en) | 2010-03-29 | 2025-01-28 | Open Text Inc. | Log file management |
| US12164466B2 (en) | 2010-03-29 | 2024-12-10 | Open Text Inc. | Log file management |
| US8677486B2 (en) | 2010-04-16 | 2014-03-18 | Sourcefire, Inc. | System and method for near-real time network attack detection, and system and method for unified detection via detection routing |
| US8433790B2 (en) | 2010-06-11 | 2013-04-30 | Sourcefire, Inc. | System and method for assigning network blocks to sensors |
| US9110905B2 (en) | 2010-06-11 | 2015-08-18 | Cisco Technology, Inc. | System and method for assigning network blocks to sensors |
| US8671182B2 (en)* | 2010-06-22 | 2014-03-11 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
| US20110314143A1 (en)* | 2010-06-22 | 2011-12-22 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
| US9584535B2 (en) | 2011-03-11 | 2017-02-28 | Cisco Technology, Inc. | System and method for real time data awareness |
| US8601034B2 (en) | 2011-03-11 | 2013-12-03 | Sourcefire, Inc. | System and method for real time data awareness |
| US9135432B2 (en) | 2011-03-11 | 2015-09-15 | Cisco Technology, Inc. | System and method for real time data awareness |
| US12131294B2 (en) | 2012-06-21 | 2024-10-29 | Open Text Corporation | Activity stream based interaction |
| US12301539B2 (en) | 2014-06-22 | 2025-05-13 | Open Text Inc. | Network threat prediction and blocking |
| US12261822B2 (en) | 2014-06-22 | 2025-03-25 | Open Text Inc. | Network threat prediction and blocking |
| US12412413B2 (en) | 2015-05-08 | 2025-09-09 | Open Text Corporation | Image box filtering for optical character recognition |
| US12437068B2 (en) | 2015-05-12 | 2025-10-07 | Open Text Inc. | Automatic threat detection of executable files based on static data analysis |
| US12197383B2 (en) | 2015-06-30 | 2025-01-14 | Open Text Corporation | Method and system for using dynamic content types |
| US11277421B2 (en)* | 2018-02-20 | 2022-03-15 | Citrix Systems, Inc. | Systems and methods for detecting and thwarting attacks on an IT environment |
| US20190260777A1 (en)* | 2018-02-20 | 2019-08-22 | Citrix Systems, Inc. | Systems and methods for detecting and thwarting attacks on an it environment |
| US12149623B2 (en) | 2018-02-23 | 2024-11-19 | Open Text Inc. | Security privilege escalation exploit detection and mitigation |
| US12235960B2 (en) | 2019-03-27 | 2025-02-25 | Open Text Inc. | Behavioral threat detection definition and compilation |
| US11973798B2 (en) | 2020-03-25 | 2024-04-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12069067B2 (en)* | 2020-03-25 | 2024-08-20 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12432243B2 (en) | 2020-03-25 | 2025-09-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US20210306355A1 (en)* | 2020-03-25 | 2021-09-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12155680B2 (en) | 2021-03-17 | 2024-11-26 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| US12267299B2 (en)* | 2022-01-12 | 2025-04-01 | Bank Of America Corporation | Preemptive threat detection for an information system |
| US20230224275A1 (en)* | 2022-01-12 | 2023-07-13 | Bank Of America Corporation | Preemptive threat detection for an information system |
Also Published As
| Publication number | Publication date |
|---|---|
| US8996681B2 (en) | 2015-03-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8996681B2 (en) | Passively attributing anonymous network events to their associated users | |
| US11805148B2 (en) | Modifying incident response time periods based on incident volume | |
| US10305922B2 (en) | Detecting security threats in a local network | |
| US9984241B2 (en) | Method, apparatus, and system for data protection | |
| US10735455B2 (en) | System for anonymously detecting and blocking threats within a telecommunications network | |
| KR101836016B1 (en) | Context-aware network forensics | |
| US10027562B2 (en) | Detecting network services based on network flow data | |
| US11770396B2 (en) | Port scan detection using destination profiles | |
| US20220217162A1 (en) | Malicious port scan detection using port profiles | |
| US11811587B1 (en) | Generating incident response action flows using anonymized action implementation data | |
| US8510446B1 (en) | Dynamically populating an identity-correlation data store | |
| US11126713B2 (en) | Detecting directory reconnaissance in a directory service | |
| CN113630396B (en) | Method, device and system for processing network security alarm information | |
| WO2022171380A1 (en) | Anomaly detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AS | Assignment | Owner name:MITRE CORPORATION, THE, VIRGINIA Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:STEPHENS, GREGORY D.;REEL/FRAME:019291/0560 Effective date:20070419 | |
| STCF | Information on status: patent grant | Free format text:PATENTED CASE | |
| MAFP | Maintenance fee payment | Free format text:PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551) Year of fee payment:4 | |
| MAFP | Maintenance fee payment | Free format text:PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment:8 |